Supported Delegation scenario? (Full Version)

All Forums >> [ISA 2006 Publishing] >> Web Publishing


RuiFiske -> Supported Delegation scenario? (12.Mar.2009 10:10:32 AM)

I have two Windows 2003 security domains/forests, A and B, both controlled by different teams within my company. They are separated by a dual-homed ISA Server 2006, which is a member of domain A.

We have published a web site in domain B, which requires integrated authentication. However, the web server does not have access to the DC from domain A, and so cannot authenticate the users from domain A. There is a user account in domain B that has been created to be used by the ISA Server.
[Please trust me, there are reasons for all of this!]

What we wish to do is manage access to the web site through a web publishing rule on the ISA Server. ISA would log and control access to the site from domain A, but then use the special ISA account to access the web site. Meanwhile, users from domain B would access the site as normal using their local credentials.

All sounds very straightforward.

However, the Authentication Delegation options in the web publishing rule do not allow you to implement this scenario. Either the credentials are forwarded through delegation (which requires trust between the domains), or they are not, in which case a site requiring authentication would fail.

It is frustrating, because in a web chaining rule, it is possible to specify the credentials that you want to pass on to the next node in the chain.

Does anyone have any experience of trying to implement a scenario like this, or have any suggestions of how I may achieve it?

Many thanks in advance.


Jason Jones -> RE: Supported Delegation scenario? (12.Mar.2009 12:45:59 PM)

Does this really relate to ISA?

If the web server cannot validate credentials with the non-trusted domain, I'm confused at to how you think ISA can help?

I can't think of anything ISA can do natively...maybe you could write a custom web filter to help??? Maybe drop Greg a line at Collective Software.



Rhys.Goodwin -> RE: Supported Delegation scenario? (12.Mar.2009 5:08:45 PM)

One way you could do it is have another instance of the same website on the IIS server in Domain B. Enable anonymous access on this site but restrict IP access to only the ISA server.

What you really want is another option on the delegation tab to say "delegate this specifed crediental" and specify user name and password. Is this what you're getting at?

RuiFiske -> RE: Supported Delegation scenario? (13.Mar.2009 4:39:20 AM)

Hi Rhys,

Thank you for your reply. You have understood the scenario perfectly.

Your suggestion is a good one, and is indeed how we are doing it at the moment (second site with anonymous access limited by IP).

Exactly what I would like is an option in Authentication Delegation, saying "Always use these credentials". The website would then be able to authenticate this account, as it would be provisioned in Domain B.

By the sound of Jason's reply, though, this is not possible without a custom filter. Is this correct?


Page: [1]